Too Much Sharing in the Sharing Economy? Uber’s Use of Our Passenger Data Highlights the Perils of Data Collection via Geolocation

In order to allow us to hail cars with ride sharing apps, and find people to hook up with or have a drink with via other apps, companies use geolocation technology on your mobile devices. And based on this geolocation, the same companies learn a lot about our personal proclivities and us.

One example of such a company is Uber, the popular ride-sharing company, which has acquired a reputation for being overly cavalier about data privacy. As a result, it’s no surprise that some in Congress have taken notice. For a second time, Senator Al Franken (D-Min.) has sent a letter to Uber, asking the company to clarify its murky privacy practices.

The ridesharing company recently shared the results of a privacy audit conducted by a law firm. Uber commissioned the report from Hogan Lovells in the fall, after a series of comments made by a senior executive, and other news stories revealed that Uber was sharing customer data with its employees, often for shocking reasons. In particular, the public learned about a feature called “God View” that allowed management to track the whereabouts and movements of all users in real time.

Based on the November incidents, Senator Franken, who is the Chairman of the Senate Subcommittee on Privacy, Technology and Law, sent a letter to Uber to seek clarify on its privacy practices. Franken called on the company and others that track our geolocation to be more transparent about their privacy policies.

Hogan Lovells’ audit report gives Uber a high mark for its new privacy policies. For example, the company has adopted new procedures for erasing user data when customers terminate their accounts, and it performs background checks on any employee who has access to data. In this column, I will describe how Uber’s audit still lacks answers to our most fundamental questions: who precisely within the company is looking at our data and why. I will also discuss how Uber’s recent scandals highlight the need for stronger protections in the geolocation privacy area.

God View and the Scandal That Prompted the Audit

Uber uses a smartphone app to receive requests for trips, and then dispatch available drivers to riders. During this process, Uber collects a lot of information about us—some of it relating to who we are—but it also tracks where we go. Hence the term “God View” for a feature that allows Uber to track users in real time—an omnipresent and all-knowing company.

According to its privacy policy, Uber collects personal information including your name, email address, country, language, password, mobile phone number, IP address, MAC address, and your credit card number, expiry date, and security code. If you add a photo to your profile, this is captured and may be shared as well.

The company also collects “usage information,” including a rider’s Internet browser, IP address, and geolocation data gathered during Uber trips. This information may then be shared with the rider’s driver. Uber’s privacy policy states that Uber may also share a rider’s personal information and usage information with third parties, such as its parent, subsidiaries, and affiliates, for “internal reasons.”

A lot of Uber’s data can be really useful. The company uses it to help cities like Boston plan traffic patterns, for example. But Uber has been lambasted for using geolocation to spy on individual passengers. In November 2014, Uber vice president Emil Michael suggested that the company would find dirt about the personal lives of journalists critical of Uber. Peter Sims, a venture capitalist, discovered that his real time location data was broadcast to a large audience at a Chicago Uber launch party. And a Buzzfeed reporter in November was tracked on her way to an interview at Uber’s New York headquarters. The Uber employee with whom the journalist met also emailed her logs of her prior Uber trips.

The data that Uber tracks has broader applications beyond keeping tabs on individual riders. In 2011, the company’s blog posted internal research that showed big data links between high crime neighborhoods in San Francisco and the locations where people requested an Uber car. The post was later deleted (but is now cached elsewhere). The cached URL shows that the deleted post was once titled, “How Prostitution and Alcohol Make Uber Better.” Uber’s researchers found that areas with large populations and high crime rates requested more Uber rides, especially locales wih higher incidences of prostitution, alcohol, theft, and burglary.

Uber employees have used the notorious God View to display at parties a map of identified riders using the service in real time. Uber has also reportedly tracked what they termed “Rides of Glory,” i.e., riders between the hours of 10 p.m. and 4 a.m. on a Friday or Saturday night, who were picked up about six hours later. Uber employees did this to determine which Uber users had had “one night stands.”

As a consequence of these reports, Uber has experienced a backlash as more custmers have asked to be removed permanently from the service. Uber has since revamped its privacy policy and hired Hogan Lovells to conduct its audit. Uber also posted a blog about its privacy policy to respond to criticisms, which states that it has a strict policy prohibiting all employees (including management) from accessing a rider’s or driver’s data, with the only exception being for “a limited set of legitimate business purposes.”

Senator Franken sent Uber ten questions focused on alleged inconsistencies with Uber’s stated privacy policy and its actual practices. Among them was a request for Uber to identify its stated “limited set of legitimate business purposes” that grant Uber employees access to riders’ usage information, including “sensitive geolocation data.” Senator Franken also questioned Uber’s lack of transparency in its privacy policy, which states Uber may share customers’ personal and usage information with its “parent, subsidiaries, and affiliates for internalreasons,” without defining the term. Franken was asking Uber to be specific rather than vague about what it was doing with customer data.

In response to Franken’s request, Uber shared its audit report with the Senator. In its 70-page report, Hogan Lovells made several recommendations that Uber has agreed to implement. Going forward, the company plans to start performing frequent reviews of its privacy program, and will help users to understand its policies more clearly. Uber will make the star rating they are given by Uber drivers more transparent. Currently, riders can do this only by emailing Uber.

But the audit didn’t appear to bring clarity to the key question that’s been on Senator Franken’s mind: Who in the company has access to its most sensitive data—the locations of passenger pickups and drop-offs?

Uber has repeatedly said that it restricts access to that data to employees with a “legitimate business purpose.” According to its November blog post, a legitimate business purpose could include workers monitoring fraud, facilitating payments, troubleshooting bugs, and supporting riders and drivers in order to solve problems brought to their attention by the Uber community.

That definition is too broad, according to Senator Franken. In a second letter he sent to Kalanick in early February 2015, Franken asked again for more details about who has access to God View. “I would like to understand for whom it is necessary to have a real-time view of trips and why,” asks Franken. “Who within the company makes the determination of necessity? What portion of your staff has access to the God View tool?”

Hogan Lovells, despite using the phrase “legitimate business purpose” eight times in its report did not recommend a more specific definition of the concept. Instead, the firm wrote, “Uber is transparent about its collection of geolocation data.” The audit does mention God View, saying that the company retired this tool over a year ago in favor of a new dashboard that masks the identity of individual users and requires approval from certain authorized personnel to retrieve user data.

Uber says access to user data is limited to employees who have a need to know it, like those investigating fraud, answering user-driver inquiries or conducting trip analyses, said Katherine Tassi, Uber’s privacy counsel. But Tassi and Uber management have not provided an exact figure or assured us as to the limit of legitimate purposes—just what the normal situations where an employee might look at our trip record, not about whether there are other times where individuals might sneak a peek, be it for research or the launch parties.

The audit does not discuss how many privacy violations had been found nor how Uber had disciplined anyone who has accessed customer data without proper authority. And this is the heart of the matter; since Uber has breached our trust, it needs to reassure users and policymakers with details and concrete actions, not a restatement of a broad policy.

Hogan Lovells, however, examined Uber’s privacy program, not specific allegations of privacy violations. So we don’t actually know how common it is for Uber employees to eyeball our data, despite the company’s policy. “We’re not going to comment on those specific instances that were in the press, but in general, we’re an organization of human beings and human beings make mistakes,” says Tassi. We do know that Uber disciplined one executive, Josh Mohrer, for tracking that Buzzfeed reporter’s ride, but we’re not sure how. But that’s about it.

Beyond Uber’s Own Audit: What’s Next in the Geolocation Space

The FTC and other regulators seem increasingly concerned with the privacy implications of mobile and geolocation data. Location-based services—applications that provide information to users based on their location are growing at an exponential rate alongide the rise in mobile smartphone devices,

It is no surprise, then, that 2014 may also have been the year that consumer concern about mobile privacy finally caught up with their wide acceptance and use of the platform. Uber is not the only company to come under intense consumer and regulatory scrutiny in 2014 for its privacy failings.

While no law currently exists on the collection of geolocation information without consumer consent, it is unlawful for companies’ privacy policies to be “unfair and deceptive” under the FTC’s rules. For instance, Snapchat recently found itself under investigation because its privacy policy represented that it did not collect location-based information when it in fact did. The FTC reached a settlement with Snapchat. The FTC also settled with the developer of the mobile app Brightest Flashlight for failing to adequately disclose the collection and sharing of consumer geolocation information in its privacy policy. Some commentators note that Uber may also find itself in hot water, given its past privacy gaffes.

Lawmakers have also focused on geolocation services. Last year, Senator Franken introduced the Senate Bill 2171, the Location Privacy Protection Act of 2014 (LPPA). This bill would, among other things, require consumer consent before companies could track geolocation data, and would require companies collecting the location data of 1,000 or more devices to post online the kinds of data they collect, how they share and use it, and how people could opt out of data collection. The FTC testified in favor of the LPPA before the Senate Judiciary Committee last June. With Senator Franken continuing to monitor how Uber and other companies track us in the sharing economy, we may find that Congress protects us from inadvertent oversharing of our data.

Anita Ramasastry is the UW Law Foundation Professor of Law at the University of Washington School of Law in Seattle, where she also directs the graduate program on Sustainable International Development. She is also a member of the Law, Technology and Arts Group at at the Law School. Ramasastry writes on law and technology, consumer and commercial law, and international law and globalization.